It’s been over a month since the tumultuous installment of GDPR. This marks a sea change for data protection and privacy regulation worldwide. But in contrast to the commotion during the lead-up, the first month of the GDPR era has been mostly silent.
Brussels has yet to announce any violations or fines. In addition, we don’t know if the EU’s data protection authority is actually actively investigating complaints. EDPS, the EU’s independent data protection authority, shared its last update on May 31.
Despite the quiet amongst political entities, all is not so along the data protection front, particularly among the EU member states. Authorities have reported significant upticks in data protection complaints. An increase in reports of data breaches by companies processing EU citizen data (GDPR requires such breaches to be reported within 72 hours) has also been cited. CNIL, the French data protection authority, has reported a 50% rise in complaints.
All the while, users with EU-based site accounts have been bombarded with emails notifying them of updated privacy policies and consent confirmations (although some have questioned whether or not businesses are actually doing anything). Some online vendors have taken it to the extreme by continuing to bar EU IP addresses completely from online signups and purchases in order to reach compliance.
In order to maintain compliance and ensure the welfare of digital users, businesses now look quite often to the role of the digital protection officer.
What is a Data Protection Officer (DPO)?
One of the most significant requirements of GDPR is that certain organizations must appoint a ‘data protection officer’ to oversee compliance with the regulation. Formally, the role dates back at least to 2001, when German law began requiring companies with more than 9 people to appoint a DPO if the organization works with personal data. Under such previous laws, the DPO serves as a referee for data protection issues. The DPO is charged with balancing the interests of an organization’s leaders, employees, shareholders, and data subjects.
GDPR extends the DPO requirement to companies of all sizes whose “core activities” involve processing personal data of EU citizens. New DPOs will be tasked with monitoring compliance with GDPR through data audits, trainings, and general awareness-spreading throughout their organizations. They’re also the first point of contact for data protection authorities, as well as data subjects with questions or complaints about how personal data is handled.
European Union flag overlaid with GDPR symbol. (Image source: Pixabay)
Does your organization need a DPO?
Article 37 of the GDPR stipulates that organizations must appoint a data protection officer if any of the following conditions are met:
- The organization is a public authority or body that processes EU data (with the exception of courts acting in a judicial capacity).
- The “core activities” of the organization involve regular and systematic monitoring of data subjects on a large scale.
- The “core activities” of the organization involve processing data relating to criminal convictions.
Many will consider “core activities,” “large scale,” and “regular and systematic monitoring” subject to interpretation. The UK’s Information Commissioner’s Office offers some helpful advice in this regard:
- “Core activities” are the primary business activities of an organization. If working with personal data is necessary to achieve a key business objective, then it’s a core activity.
- “Regular and systematic” monitoring of data subjects includes all forms of tracking and profiling, both online and offline. Behavioral advertising falls under this category.
- When determining if processing is on a “large scale,” the number of subjects, volume and range of information, and duration or permanence of the processing activity all ought to be taken into account.
For example, if your organization’s marketing department regularly uses algorithms to monitor and analyze the behavior of users or customers, that would almost certainly meet the criteria for requiring a DPO.
Why a DPO is a good idea, even if you don’t need one
At first, the DPO requirement may seem totally unrealistic for many organizations. Few SMEs can afford to spend significant amounts of time ensuring compliance with new data protection legislation, let alone hiring a data protection expert to scrutinize their day-to-day operations.
The good news is that appointing a DPO isn’t as costly as it might seem. For one, companies can appoint an existing employee to the role. GDPR doesn’t require DPOs to have any specific education or training. The statute requires only that a potential DPO have suitable “professional qualities” and some knowledge of data protection law and practices. In this vein, EDPS offers resources for the fledgling DPO, including a brief powerpoint that helps them get started.
Indeed, some quick LinkedIn searching over the recently announced list of EU agency DPOs reveals that many lack any specialized training in data protection. For smaller organizations in particular, a DPO with some general background in law seems to suffice. For them, cybersecurity organizations like the Security & Continuity Institute (SECO) in Amsterdam offer training programs and certification exams. In other cases, organizations can appoint an external DPO without hiring them on as a full-time employee. Companies like the DPO Network have been offering recruitment services for both internal and external data protection and privacy experts, including DPOs.
Even for organizations that don’t ostensibly need a data protection officer, it’s still a good idea to have one. At this early stage, it’s hard to know how widely-encompassing GDPR enforcement will become, as well as how terms like ‘large scale’ and ‘core activities’ may be interpreted. And even if an organization believes itself fully compliant with the regulation now, a change of strategy in a marketing department or an engineering team could misalign ‘core activities’ with the regulation.
Appointing a DPO can be a cost-effective way of preempting complaints, as well as identifying places where compliance may be compromised, now and in the future. Perhaps even more important, most experts agree that for the foreseeable future GDPR enforcers will scrutinize companies for good-faith efforts to reach and maintain compliance. Voluntarily appointing an officer to serve as a point of contact with regulators and data subjects is a great way to show such an effort.